Secure Your IT

For the second week of National Cyber Security Awareness Month, I’ll discuss the idea of “Secure IT”.

The would-be bad guys are accomplished at relieving unsuspecting victims of their personal information. The tools for a successful cyber theft have evolved significantly. In fact, the tools are easy-to-install and require little knowledge. And, if you’re a very lazy hacker, “hackers-for-hire” is a real service.

So, what do you do to protect your interests?

“Secure IT”, more specifically, secure your IT, your devices, your services, your gear.

The best way to protect against cyber threat is to be knowledgeable about the products that you use. Specifically, review the security features available on your hardware, software and services.

Let’s start with the most basic, yet, most common issue for most users: the dreaded password.

Passwords are a tough dilemma for security practitioners. We’ve struggled with password management for years. Often, I’m asked, “why wasn’t something better” developed.

The answer is surprisingly simple. It wasn’t necessary.

The tools and services that employ the internet are built upon a foundation that is nearly fifty years old. Decades ago, the idea of connecting one machine to another, despite distance, was the goal. Everything else was a distraction.

In order to use the precursor to the modern internet, access was managed by lots of physical security, small footprint, and expense. Very simply, there weren’t many devices; those that existed were incredibly expensive; and, in order to access the devices, you had to be qualified and navigate a labyrinth of physical obstacles.

In other words, it wasn’t easy.

Fast forward a few decades and access is very easy. Devices outnumber people, internet is wireless. Yet, we continue to depend on passwords.

IT security professionals have tried to build protection around services through the use of complex passwords, expiring passwords, one-time passwords, pass-phrases, you name it – but, human behavior is easy to predict. People become complacent and despite all manner of concerns about weak passwords, many people continue to use them because it’s easy.

And, the would-be evildoers know this and exploit it.

Passwords are a consequence of current design and unavoidable. Despite the inherent weaknesses with passwords, they serve as your first-layer of protection. As a result, password behavior needs to be strict. For each of your accounts, including social media, use unique, complex passwords. Do not use the same password or variations of the same password for your accounts: create different passwords for everything. Using a unique password for each account shields your other accounts from compromise if one account is hacked.

Despite much discussion about passwords, users continue to create poor, weak passwords. Using simple passwords is not only a bad practice, but, it makes your data vulnerable. Think for a moment about the data you house in your phone, your work environment. If that data were suddenly placed in a public forum for all to see, would you have any concerns? Would your employer have any concerns? How about your family?

Clearly, it is impossible for users to remember scores of passwords. Employ a password manager. The tools will safeguard your password, and, they can create unique, complex passwords for you.

Additionally, enable multi-factor wherever possible. Multi-factor authentication only allows access to your information and services when two or more pieces of evidence are provided successfully. The routine often uses something that you know and a random piece of information that only you can generate or receive.

I’ll pause and offer some empathy. I get it. Passwords are awful. Using a password manager makes things a bit easier, but, multi-factor is annoying.

I agree. And so do the bad guys.

Why?

Because two-factor works.

Use two-factor wherever you have the opportunity. If your bank provides it (most do), use it. All social media apps have two-factor as an option; I don’t know why it’s not enabled by default, but, that’s a different story.

And please, please, turn on two-factor for email. In doing so, you almost completely negate the greatest opportunity for bad guys to impersonate you, your business.

As I finish two-factor and passwords, it’s important to underscore phishing awareness as a key component to securing your IT.

Often I’ve said that “bad guys want to get inside your computer or network.” The easiest way to do that is via email.

Think about email for a moment.

It’s an electronic thing that is created elsewhere and arrives into your device, your network. It’s the easiest way for someone to get “inside” your digital space.

As a result, the bad guys love phishing.

Posing as your friends, your bank, your co-workers and sending a very convincing email, the likelihood that your security awareness is lowered is significant.

Double-check email. Review the sender address carefully. Don’t click on links or open attachments unless you were expecting them. And, avoid responding to emergency email messages, especially those that claim that money is needed, or, an urgent response is needed to preserve your bank access or social security benefits – financial institutions and the US government don’t send those types of messages.

Lastly, another layer to your IT security is prudent e-commerce practices. Scammers come at us constantly. One of the most common methods is through trickery that involves disguised websites. If you want to visit an online vendor, visit the site through a saved bookmark, or, from a reputable search engine. Don’t click on links that “look like Amazon, Wal-Mart, etc.” Bad guys have improved their impersonation skills and they manage websites that look identical to the real thing. And they will steal your money quickly.

Secure your “IT”. Take careful steps to review your tools and use safe computing habits at all times.